Research and Application

Menu

clrokr (@clrokr) – 6. Jan 2013
It’s taken longer than expected but it has finally happened: unsigned desktop applications run on Windows RT. Ironically, a vulnerability in the Windows kernel that has existed for some time and got ported to ARM just like the rest of Windows made this possible. MSFT’s artificial incompatibility does not work because Windows RT is not in any way reduced in functionality. It’s a clean port, and a good one. But deep in the kernel, in a hashed and signed data section protected by UEFI’s Secure Boot, lies a byte that represents the minimum signing level.

Finding the right spot

The minimum signing level determines how good an executable’s signature is on a scale like this: Unsigned(0), Authenticode(4), Microsoft(8), Windows(12). The default value on x86 machines is of course 0 because you can run anything you like on your computer. On ARM machines, it defaults to 8.
That means that even if you sign your apps using your Authenticode certificate, the Surface or any other Windows RT device (at this moment) will not run them. This is not a user setting, but a hardcoded global value in the kernel itself. It cannot be changed permanently on devices with UEFI’s Secure Boot enabled. It can, however, be changed in memory.
Finding this byte in the kernel takes a while, there is no exported symbol for it and not even in the symbol database at MSFT. I found it using WinDbg and a machine running Windows 8 Pro, creating processes and watching how the system behaves when the signature checks happen all the way through CI.dll and back. Because Windows 8 and Windows RT are so similar, locating it in the ARM kernel was not hard:SeGetImageRequiredSigningLevel+0x18
LDR R3, =0x59FFA6 This is our byte, 0x19FFA6 at 0x400000 image base
LDRB R3, [R3]
CMP R3, #4
BHI loc_HighSigReq
B.W loc_LowSigReq

There are many more places where you can find this byte accessed, but none of them have an exported symbol.

Prerequisites

A while ago I read an article about how the Windows kernel assumes that data passed by certain processes is always well-formed [1]. This vulnerability exists in Windows RT, but exploitation is a bit harder than on Windows 8 because unsigned binaries can’t be run in the first place (and store apps don’t have the security context you need to attach to other processes). But Microsoft decided to provide something very important [2] that made this whole endeavour a lot easier. This remote debugger, when run as Administrator, can attach to the user’s CSRSS process and manipulate its memory.
CSRSS contains a lot of calls to the vulnerable NtUserSetInformationThread function, including some that use the right parameters to exploit it. This is one of them (from winsrv.dll):TerminalServerRequestThread+0x230
MOVS R3, #0xC
ADD R2, SP, #0x58
MOVS R1, #9
MOV R0, 0xFFFFFFFE
BL NtUserSetInformationThread

A CSRSS thread executes this code. Using a breakpoint, we can change the data structure pointed to by R2 before the NtUserSetInformationThread call happens to exploit the vulnerability. Sadly, this is very impractical because the exploit subtracts 1 from the specified address and we need to subtract 0x80000. This is because we can’t do an unaligned access on ARM (remember, our byte’s offset is 0x19FFA6), so we need to use 0x19FFA4.
We also need the linear address at which the kernel image resides. We can find this out by calling (on the device, this can be done from a store app which will run unsigned) NtQuerySystemInformation with information class 11. If you want to know how to use NtQuerySystemInformation from a store app, read [3]. This gives us a list of all loaded drivers and their image bases, effectively bypassing ASLR in this case (although this is not what ASLR is for, it is annoying in these situations).

We now set a breakpoint directly after the legitimate NtUserSetInformationThread call in TerminalServerRequestThread, pressing a volume button will trigger it. This is where it gets interesting.
Redirect the instruction pointer to the payload in memory and set a breakpoint at the mov r0, r0 instruction at the end. Press F5. Now set the instruction back to the first breakpoint and remove both. Press F5 again.Congratulations, your Windows RT device is unlocked!

Conclusion

Windows RT is a clean port of Windows 8. They are the same thing and MSFT enforces Code Integrity to artificially separate these platforms. It does not stop pirates from modifying store apps (and their license checks) because store apps are the only things that can actually run unsigned. The fact that this method works on Windows 8 as well shows how similar the systems are. You can even enforce Code Integrity on Windows 8 to see what Windows RT feels like!
The decision to ban traditional desktop applications was not a technical one, but a bad marketing decision. Windows RT needs the Win32 ecosystem to strengthen its position as a productivity tool. There are enough “consumption” tablets already.

HI, my name is Kirk I searched binary forex options, and found your page, I see you are interested in Circumventing Windows RT’s Code Integrity Mechanism …, so let me show you my page- Binary Options Software | 100% Auto Trading Signals , please visit my website and you will learn how you can generate 30$-60$ every five – ten minutes, HOUNDREDS of dollars a day, watsh proof video, Greeting Kirk

A fascinating discussion is definitely worth comment.
I think that you ought to publish more on this topic, it may not be a taboo
subject but usually people do not speak about such subjects.
To the next! Kind regards!!

Wonderful beat ! I would like to apprentice while you amend your site, how could i subscribe for a blog site?
The account aided me a acceptable deal. I were a little bit familiar of this your
broadcast offered vibrant transparent concept

When you use the Photo Cool Maker program to create your photo projects, you have
the option of adding frames. You can add frames to the photos, and you can add frames to
the background. In this guide, I am going to show you how to add frames to your photos
and to the backgrounds in Photo Cool Maker. You will need to open
your Photo Cool Program. You can open a photo to use for this guide.

CPA Cost Per Action This is banner maker a method of
measuring how much you will pay for a banner ad based on the actions taking.
An action can be considered a click, or it can be considered
a conversion. If a website offers banner advertising on a “CPA basis” this means you only pay when someone actually clicks on your ad (as
opposed to impressions).

You can design and develop your own signs to compliment your banners.
For instance, if you are designing a welcome
banner, you can place attractive and colorful images and concise welcome message.
Welcome banner is a great way to welcome your dear
ones at a conference or even a at party.

Another consideration would be the price. You would not want to pay a small fortune for Beat Making software that you have no experience of.
It would be a better option to start with a comprehensive but
economical software on which you can hone your skills.
Avoid costly programs as what you get for the money is not necessarily any more desirable then the cheaper applications.

You can make a professional sounding beat without
having to spend hundreds of bucks.

Otlix has been dedicated to optimizing the use of media
since 2006. They provide media solutions as
Ad Serving, Ad Delivery, Ads Rotation, Video Advertising
and Ad Management tools. These tools can be used to simplify and better ad Campaigns, and they give you a comprehensive
overview of all of your campaigns with their smart Analytics and Statistics system.

When I originally commented I clicked the “Notify me when new comments are added” checkbox and now each time a comment is added I get three emails with the same comment.
Is there any way you can remove people from
that service? Bless you!

With the help of local OCD Forums, choosing required to attend meeting
and share your experiences. Long in the difference between the
place you’re in right this moment and in which you will probably be after achieving these.
While this really is a natural emotion we all feel, for many they have caused these to lose partners and
even their jobs. Try designating a region of your home like a landing strip.

Not because they will be changed into adipose tissue, but because excess
protein in your diet causes you to burn more protein and stare more fat.
These substances are designed to help the body do what it naturally does, solely somewhat faster.
Note that you can only buy Adiphene online as they aren’t available in stores.

Don’t let fat cost-free or perhaps gentle meals trick anyone; them usually comprise copious amounts connected with one more unhealthy element.
It’s conceivable to accomplish this objective the conventional path moreover through an equalized eating methodology
and exercise. Indeed Adiphene weight reduction pill is the answer for those who always goes
on food regimen however can’t endure the meals carving
hunger and the irritability gave rise by dieting.

This process is made possible due to computer chips embedded within entry or ignition keys.
Now, if you were parked in a public area, your first instinct
would be to call any friend or family member to bring you
a spare car key. In this way, the report presents
a complete and coherent analysis of the Indian auto component industry and will prove decisive for clients.

Take note of colours around the room and get art that
includes some of those shades. A couple of wall sconce light arrangements could even be run with the sun.
First, you can’t go wrong with family photos.

Semi-precious gemstones earrings are becoming the best sold earrings for fashion girls.
If you experience problems with your eyes or vision that are not solved by the
usual means, this is an excellent visual therapy to turn to.
1768, Swedish scientists discovered tourmaline Ringnes with piezoelectric and thermoelectric,
and it can produce amazing effects and improve the natural healing power, so tourmaline is extremely popular in Western Europe
and Japan, it can maintain endocrine balance, there is
activation of brain cells The function is to candidates with
testing halls of the treasures of headache have a therapeutic effect.

Hello There. I discovered your weblog using msn. This is a really well written article. I will make sure to bookmark it and return to learn extra of your useful info. Thanks for the post. I will definitely return.